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Overview 

What  is  the  Cyber  Resilience  Review  (CRR)? 


•  Examines  cybersecurity  practices  in  critical  infrastructure  organizations 

•  Is  conducted  in  partnership  with  the  U.S.  Department  of  Homeland 
Security 

•  Evaluates  the  resilience  of  critical  services 


•  Utilizes  the  goals  and  practices  found  in  the  CERT  Resilience 
Management  Model  (CERT-RMM) 

•  Is  completely  voluntary  and  protected  by  PCM 

•  Is  a  one-day  expert-facilitated  workshop  (typically  6-8  hours) 

•  Provides  participants  with  a  detailed  report  containing  suggestions  for 
improvement 

•  Collects  data  for  the  purpose  of  analyzing  aggregated  (non-attributable) 
results 
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CRR  Benefits  Participating  Organizations 

How  the  CRR  helps  organizations  improve  cyber  resiiience 

•  Identify  their  cybersecurity  posture 

•  Develop  a  shared  cyber  resilience  vision  and  roadmap 

•  Learn  where  to  get  help  and  information  about  cyber  resilience 

•  Communicate  using  a  common  language 

•  Prioritize  options  and  support  decision  making 

•  Measure  their  progress  in  improving  cyber  resilience 

•  Prepare  for  and  facilitate  change 
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CRR  Assessment  (v1  and  v2)  summary 
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Between  FY 2009  and  present  [as  of  11/25/2013]  CSEP  conducted  268  CRRs. 


Sector 

Count 

CIKR  fPrivatel 

128 

Energy 

31 

Healthcare  and  Public  Health 

23 

Commercial  Facilities 

13 

Transportation  Systems 

12 

Government  Facilities 

11 

Banking  and  Finance 

11 

Water 

10 

Critical  Manufacturing 

6 

Information  Technology 

5 

Agriculture  and  Food 

3 

Chemical 

1 

Communications 

1 

Dams 

1 

CIKR  fSLTTl 

140 

Government  Facilities 

31 

Information  Technology 

30 

Emergency  Services 

27 

Water 

24 

Transportation  Systems 

20 

Energy 

5 

Healthcare  and  Public  Health 

2 

Banking  and  Finance 

1 

Grand  Total 

268 
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CRR  Data  Analysis:  Selected  Highlights 


Summary  Findings  (115  organizations,  43  states,  12  sectors) 


Asset  Management:  More  than  70%  of  organizations  identify  critical  services;  however, 
less  than  50%  of  organizations  assessed  have  identified  the  assets  that  support  critical 
services. 


Vulnerability  Management:  More  than  55%  of  organizations  have  not  developed  a 
strategy  to  guide  their  vulnerability  management  efforts. 


Incident  Management:  65%  of  organizations  lack  a  process  to  escalate  and  resolve 
incidents. 


External  Dependencies  Management:  More  than  80%  of  the  organizations  assessed 
identify  external  dependencies  that  are  vital  to  the  delivery  of  critical  services. 
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Operational  Resilience  Defined 

Resilience:  The  physical  property  of 
a  material  when  it  can  return  to  its 
original  shape  or  position  after 
deformation  that  does  not  exceed 
its  elastic  limit  [wordnet.princeton.edu] 


Operational  resilience:  The  emergent 
property  of  an  organization  that  can 
continue  to  carry  out  its  mission  after 
disruption  that  does  not  exceed  its 
operationai  limit  [cert-rmm] 

Where  does  the  disruption  come  from?  Realized  risk. 
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Establishing  a  Criticai  Service  Focus 
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Domain  Structure 


Process  Institutionalization  in  the  CRR 


Maturity  indictor  levels  (MIL)  are  used  in  CRR  v2  to  measure  process 
institutionalization 
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Ten  Domains  of  Cybersecurity  Capability 


The  ten  domains  in  CRR  v2 
represent  important  areas  that 
contribute  to  the  cyber 
resilience  of  an  organization. 


The  domains  focus  on 
practices  that  an  organization 
should  have  in  place  to  assure 
the  protection  and  sustainment 
of  its  critical  service. 


CRI^I^mains 

AM 

Asset  Management 

CCM 

Configuration  and  Change  Management 

RM 

Risk  Management 

CTRL 

Controls  Management 

VM 

Vulnerability  Management 

IM 

Incident  Management 

SCM 

Service  Continuity  Management 

EXD 

External  Dependencies  Management 

TA 

Training  and  Awareness 

SA 

Situational  Awareness 
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Domain  Details 


CRR  Domain 

Number  of 

Goals 

Number  of 

Goal  Practices 

Number  of  MIL 

Practices 

Asset  Management 

7 

24 

13 

Controls  Management 

4 

7 

13 

Configuration  and  Change  Management 

3 

15 

13 

Vulnerability  Management 

4 

12 

13 

Incident  Management 

5 

23 

13 

Service  Continuity  Management 

4 

15 

13 

Risk  Management 

5 

13 

13 

External  Dependencies  Management 

5 

14 

13 

Training  and  Awareness 

2 

8 

13 

Situational  Awareness 

3 

8 

13 
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Model  Domains  (1-2  of  10) 


Asset 

Management 

(AM) 

The  purpose  of  Asset  Management  is  to  identify,  document,  and  manage  organizational 
assets  during  their  life  cycle  to  ensure  sustained  productivity  to  support  the  critical 
service. 

Asset  Management  includes  activities  that  an  organization  conducts  to  deploy  its  people, 
information,  technology,  and  facilities  that  support  critical  services.  This  section  focuses 
on  whether  the  organization  inventories  its  high-value  assets  and  how  it  maintains  asset- 
to-service  traceability.  This  traceability  is  important  as  it  serves  as  a  basis  for 
understanding  cybersecurity  requirements  for  assets. 

Configuration 
and  Change 
Management 
(CCM) 

The  purpose  of  Change  and  Configuration  Management  is  to  establish  processes  to 
maintain  the  integrity  of  all  assets  (technology,  information,  and  facilities)  required  for 
delivery  of  the  critical  service. 

Configuration  and  Change  Management  focuses  on  how  the  organization  manages  asset 
configurations,  and  how  the  organization  ensures  that  it  remains  in  control  of  changes  to 
these  assets.  With  particular  attention  paid  to  technology  assets.  Configuration  and 

Change  Management  also  investigates  whether  the  traceability  established  in  Asset 
Management  benefits  the  organization  as  it  manages  changes. 

Model  Domains  (3-4  of  10) 


Risk  Management 
(RM) 

The  purpose  of  Risk  Management  is  to  identify,  analyze,  and  mitigate  risks  to 
organizational  assets  that  could  adversely  affect  the  operation  and  delivery  of  services.  It 
has  six  goals:  prepare  for  risk  management,  establish  risk  parameters  and  focus,  identify 
risk,  analyze  risk,  mitigate  and  control  risk,  and  use  risk  information  to  manage  resilience. 

Risk  Management  examines  how  the  organization  identifies,  analyzes,  and  mitigates 
cybersecurity  risk.  This  domain  includes  discussions  about  how  the  organization  performs 
cybersecurity  risk  assessments,  how  it  makes  decisions  about  cybersecurity  risk,  and  how 
the  organization  benefits  from  an  active  cybersecurity  risk  management  program. 

Controls 

Management 

(CTRL) 

The  purpose  of  Controls  Management  is  to  establish,  monitor,  analyze,  and  manage  an 
internal  control  system  that  ensures  the  effectiveness  and  efficiency  of  operations  through 
assuring  mission  success  of  high-value  services  and  the  assets  that  support  them.  It  has 
four  specific  goals:  establish  control  objectives,  establish  controls  that  support  control 
objectives,  analyze  controls  to  ensure  they  satisfy  control  objectives,  and  assess  control 
effectiveness. 

Model  Domains  (5-6  of  10) 


Vulnerability 
Management  (VM) 

The  purpose  of  Vulnerability  Management  is  to  identify,  analyze,  and  manage 
vulnerabilities  in  the  assets  that  support  delivery  of  the  critical  service. 

Vulnerability  Management  involves  practices  that  identify  and  resolve  weaknesses  in 
assets  that  may  affect  critical  services.  Practices  discussed  include  the  discovery  of 
vulnerabilities,  how  the  organization  manages  exposure  to  vulnerabilities,  and  how  the 
organization  works  to  ensure  that  the  root  cause  of  vulnerabilities  is  discovered. 

Incident 

Management  (IM) 

The  purpose  of  Incident  Management  and  Control  is  to  establish  processes  to  identify  and 
analyze  events,  detect  incidents,  and  determine  and  implement  an  appropriate 
organizational  response. 

Incident  Management  examines  how  the  organization  identifies  and  responds  to  cyber¬ 
security  incidents  that  affect  the  critical  service.  It  has  five  goals:  establish  the  incident 
management  and  control  process,  detect  events,  declare  incidents,  respond  to  and 
recover  from  incidents,  and  establish  incident  learning. 

Model  Domains  (7-8  of  10) 


Service  Continuity 

Management 

(SCM) 

Service  Continuity  Management  examines  how  the  organization  conducts  contingency 
planning  for  the  continuity  of  the  critical  service.  Activities  discussed  include  how  plans 
are  developed,  tested,  and  maintained  in  order  to  ensure  that  they  are  realistic  and 
actionable  during  times  of  operational  stress. 

External 

Dependencies 

Management 

(EXD) 

External  Dependencies  Management  focuses  on  establishing  and  managing  an 
appropriate  level  of  controls  to  ensure  the  resilience  of  services  and  assets  that  are 
dependent  on  the  actions  of  external  entities.  Outsourcing  services,  development, 
production,  and  even  asset  management  have  become  normal  and  routine  operational 
elements  for  many  organizations.  Increasingly,  organizations  are  also  exposing 
technology  systems,  information,  and  other  high-value  assets  to  customers  to  enable  the 
seamless  and  efficient  flow  of  business  processes.  This  domain  focuses  on  how  the 
organization  identifies  these  dependencies  and  manages  risk  to  the  critical  service  that 
arises  from  the  failure  of  these  relationships. 

Model  Domains  (9-10  of  10) 


Training  and 
Awareness  (TA) 

The  purpose  of  Training  and  Awareness  is  to  promote  awareness  in  and  develop  skills 
and  knowledge  of  people  in  support  of  their  roles  in  attaining  and  sustaining  operational 
resilience.  It  focuses  exclusively  on  skills,  knowledge,  and  cognizance  for  resilience 
activities,  not  generalized  training  across  the  organization.  However,  these  resilience 
training  and  awareness  activities  should  integrate  with  and  be  supported  by  the 
organization’s  overall  training  and  awareness  program  and  plan. 

Training  and  Awareness  involves  examining  how  the  organization  manages  cybersecurity 
education  of  its  employees  that  support  the  critical  service.  In  this  context,  training  is  the 
development  of  new  skills,  and  awareness  involves  the  dissemination  of  current  cyber¬ 
security  information.  Activities  reviewed  include  how  the  organization  identifies  training 
and  awareness  needs  and  works  to  ensure  that  it  meets  those  needs  reliably. 

Situationai 
Awareness  (SA) 

The  purpose  of  Situational  Awareness  is  to  actively  discover  and  analyze  information 
related  to  immediate  operational  stability  and  security  and  the  coordination  of  such 
information  across  the  enterprise  to  ensure  that  all  organizational  units  are  performing 
under  a  common  operating  picture. 

Activities  examined  include  how  the  organization  maintains  operational  stability  and 
cyber-security  via  a  common  operating  picture,  and  whether  or  not  the  organization  has 
identified  prudent  and  practical  steps  it  might  take  to  reduce  its  attack  surface, 
safeguarding  the  critical  service. 

3-Point  Answer  Scale 


3-point 
answer  scale 

The  organization’s  performance  of  the  practice  described 

in  the  modei  is  ... 

Yes 

Complete 

Incomplete 

Incomplete;  there  are  multiple  opportunities  for  improvement 

No 

Absent;  the  practice  is  not  performed  in  the  organization 
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CRR  Analysis  and  Report  Generation  Overview 

The  analysis  and  report  generation  is  performed  in  four  steps.  The  first 
step  is  completed  in  the  CRR  workshop. 


1.  Complete  Data  2.  Export  .xml 
Capture  Form 


3.  Import  XML  into 
Excel  Score  Sheet 


4.  Generate  CRR 
Reports  using 
.docm  templates 
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CRR  Data  Capture  Form  - 1 


1  ASSET  MANAGEMENT 


1  Asset  Management 


The  purpose  of  Asset  Management  is  to  identify,  document,  and  manage  assets  during  their  life  cycle  to 
ensure  sustained  productivity  to  support  critical  services. 


Goal  1 

-  Services  are  identified  and  prioritized. 

Yes 

Incomplete 

No 

1- 

Are  services  idefitified?  [SC:SG2.SP1]  9 

□ 

□ 

□ 

El 

2- 

Are  services  prioritized  based  on  analysts  of  the  potential  impact 
if  the  services  are  disrupted?  [SC:SG2.SP1]  • 

□ 

□ 

□ 

E] 

Goal  2  -  Assets  are  inventoried,  and  the  authority  and 
responsibility  for  these  assets  is  established. 

1.  Are  the  assets  that  directly  support  the  critical  service 
inventoried?  [ADM:SG1.SP1]  « 

People 

Information 


Technology 

Fadirties 


□ 

□ 


2- 


4. 


Do  asset  descriptions  include  protection  arxl  sustainment 
requrements?  [ADM:SG1.SP2]  s 


People 
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E] 

Information 
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□ 

El 

Technology 

□ 

□ 

□ 

E] 

Fadirties 

□ 

□ 

n 

E] 

Are  both  owners  and  custodians  of  assets  documented  in  asset 
descriptions?  [AOM:SGl.SP3]  • 

People 

□ 

□ 

□ 

El 

Information 

n 

□ 

□ 

El 

Technology 

□ 

□ 

□ 

E] 

Fadl  ities 

n 

n 

□ 

E] 

Are  the  physical  locations  of  assets  (both  within  and  outside  the 
organization)  documented  in  the  asset  inventory? 

[ADM:SG1.SP3]  • 

People 
Information 
Technology 
Fadl  itiesj 


El 

□ 

Q 

m 
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Guidance  for  Questions 


Consideration  of  the  consequences  of 
the  loss  of  high-value  organizational 
services  is  typically  performed  as  part 
of  a  business  impact  analysis.  In 
addition,  the  consequences  of  risks  to 
high-value  services  are  identified  and 
analyzed  in  risk  assessment  activities. 
The  organization  must  consider  this 
information  when  prioritizing  high- 
value  services. 

Typical  work  products: 

1 .  Prioritized  list  of  organization’s 
services,  activities,  and  associated 
assets 

2.  Results  of  security  risk 
assessment  and  business  impact 
analyses 

A  “yes”  answer  means  that  the 
services  documented  in  AM1-1  include 
a  priority,  or  that  there  is  a  separate 
repository  of  information  that 
prioritizes  services  based  on  their 
potential  impact  of  disruption. 
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CRR  Data  Capture  Form 


Each  domain  concludes  with 
Maturity  Indicator  Level  (MIL) 
questions 

MIL  1  =  Performed 

MIL  2  =  Planned 

MIL  3  =  Managed 

MIL  4  =  Measured 

MIL  5  =  Defined 
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1  ASSET  MANAGEMENT 
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1.  Is  there  a  documented  plan  for  performing  asset  management 
activities?  • 
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2.  IS  there  a  documented  policy  for  asset  management?  ft 
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3.  Have  stakeholders  for  asset  management  activities  been 
identified  and  made  aware  of  their  roles?  • 
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4.  Have  asset  management  standards  and  guidelines  been 
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identified  and  implemented?  ft 
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1.  Is  there  management  oversight  of  the  performance  of  the  asset 
management  activities?  ft 
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2.  Have  qualified  staff  been  assigned  to  perform  asset 
management  activities  as  planned?  ft 
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3.  Is  there  adequate  funding  to  perform  asset  management 
activities  as  planned?  • 

4.  Are  risks  related  to  the  performance  of  planned  asset 
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management  activities  identified,  analyzed,  disposed  of. 
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monitored,  and  controlled?  ^ 
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1.  Are  asset  management  activities  periodically  reviewed  and 
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measured  to  ensure  they  are  effective  and  producing  intended 
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results?  • 

2.  Are  asset  management  activities  periodically  reviewed  to  ensure 
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they  are  adhering  to  the  plan?  • 
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3.  Is  higher-level  management  aware  of  issues  related  to  the 
performance  of  asset  management?  q 
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1.  Has  the  organization  adopted  a  standard  definition  of  asset 
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management  activities  from  which  operating  units  can  derive 
practices  that  fit  their  unique  operating  circumstances?  • 
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2.  Are  improvements  to  asset  management  activities  documented 
and  shared  across  thejorganization?  ft 
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CRR  Data  Capture  Form  -  3 


When  there  is  a  “No”  answer  to  a  question  that  has  linked  dependent  questions, 
the  answer  shows  in  both  questions,  with  the  dependent  question  highlighted  in 
blue  as  shown  below. 


Goal  1  -  Services  are  identified  and  prioritized. 


Yes  Incomplete  No 


1.  Are  services  identified?  [SC:SG2.SP1]  ^ 

2.  Are  services  prioritized  based  on  analysis  of  the  potential  impact 
if  the  services  are  disrupted?  [SC:SG2.SP1]  ^ 


□ 

□ 


□  0  0 

□  0  0 


If  the  answer  to  the  original  question  is  changed,  the  dependent  question 
remains  unchanged. 

Goal  1  -  Services  are  identified  and  prioritized.  w  .  ■ 

Yes  Incomplete  No 

1.  Are  services  identified?  [SC:SG2.SP1]  ^  □  ^  □  m 

2.  Are  services  prioritized  based  on  analysis  of  the  potential  impact  | — .  | — .  | — . 

if  the  services  are  disrupted?  [SC:SG2.SP1]  ^  I — I  I — I  Q 


If  the  answer  to  the  dependent  question  is  changed,  the  highlighting  is  removed 
and  the  new  answer  appears.  You  may  need  to  revisit  the  first  question. 


Goal  1  -  Services  are  identified  and  prioritized. 

1.  Are  services  identified?  [SC:SG2.SP1]  ^ 

2.  Are  services  prioritized  based  on  analysis  of  the  potential  impact 
if  the  services  are  disrupted?  [SC:SG2.SP1] 
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Data  is  imported  from  the  capture  form 


Scoresheet  Instructions 


Import  XML  Data  -  Right  click  the  PCII H  cell  and  select  XML  Import. 
You  can  manually  enter  or  edit  this  number  after  import. 

Prepare  Assessment  Information  -  Select  the  assessment  point  of 
contact  from  the  dropdown  list. 

Prepare  Scoresheet  -  Press  this  button  to  initiate  score  calculation. 
This  is  necessar,'  to  properly  populate  the  other  tabs  in  this  scoresheet 
before  generating  reports. 

Generate  Report  -  Open  the  MS  Word  report  template  pro\'ided  with  this 
scoresheet  (Customer  Re\iew  or  Final)  and  update  links  when  asked. 
This  will  import  the  latest  data  from  this  scoresheet  into  the  Word 
template. 

Optional:  Import  Na\igator  Notes  -  Go  to  the  NavNotes  tab,  right  click 
any  purple  cell  and  select  XML  Import. 
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Reports  are  generated 


Scoresheet  Instructions 


Import  XML  Data  -  Right  click  the  PCI!  "  cell  and  select  XML  Import. 
You  can  manually  enter  or  edit  this  number  after  import. 

Prepare  Assessment  Information  -  Select  the  assessment  point  of 
contact  from  the  dropdovsn  list. 

Prepare  Scoresheet  -  Press  this  button  to  initiate  score  calculation. 
This  is  necessary'  to  propeily  populate  the  other  tabs  in  this  scoresheet 
before  generating  reports. 

Generate  Report  -  Open  the  MS  Word  report  template  pro\’ided  with  this 
scoresheet  (Customer  Re\iew  or  Final)  and  update  links  when  asked. 
This  will  import  the  latest  data  from  this  scoresheet  into  the  template. 

Optional:  Compare  Assessments  -  To  compare  multiple  versions  of  an 
assessment  from  different  Navigators,  import  the  first  XML  file  in  Step  1 
above.  Click  the  Prepare  Comparison  button  to  setup  a  comparison. 
Import  the  second  XML  file  (Step  1  above).  If  additional  files  are  to  be 
compared,  click  Prepare  Comparison  again  and  then  import  the  next 
file.  After  the  last  file  is  imported,  click  Vie^v  Comparison . 

Optional:  Import  Navigator  Notes  -  Go  to  the  NavNotes  tab,  right  click 
any  purple  cell  and  select  XML  Import.  A  compare  Notes  button  is 
provided  on  that  tab  for  comparing  from  different  navigators. 
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Prepare  Comparison 
View  Comparison 
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Basic  CRR  Scoring  Information 

1.  Practices  are  either  “Yes”  (Performed),  “Incomplete”  (Incompletely 
Performed),  or  “No”  (Not  Performed). 

2.  MIL  questions  are  either  “Yes”  (Performed), 

“Incomplete”  (Incompletely  Performed),  or  “No”  (Not  Performed). 

3.  A  goal  Is  “Achieved”  only  if  all  practices  are  performed. 

•  Practices  must  be  performed  for  a  goal  to  be  “Achieved.” 

4.  A  domain  is  scored  at  MIL  1  if  all  of  the  goals  in  the  domain  are 
achieved. 

5.  Scores  for  MILs  2-5  apply  only  to  those  practices  that  are 
performed  (are  awarded  a  “Yes”  answer). 
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The  CRR  Scoring  Rubric 

Step  1 :  Score  Each  Practice  Question 

•  A  practice  is  scored  as  “Performed”  when  the  practice  question  is  answered 
with  a  “Yes.” 

•  A  practice  is  scored  as  “Not  Performed”  when  the  practice  question  is 
answered  with  an  “Incomplete”  or  a  “No.” 

Step  2:  Score  Each  Domain  Goal 

•  A  goal  is  scored  as  “Achieved”  when  all  practices  are  performed. 

•  A  goal  is  “Partially  Achieved”  when  some  practices  are  performed. 

•  A  goal  is  “Not  Achieved”  when  no  practices  are  performed. 

Step  3:  Score  MIL  Questions 

•  A  MIL  question  is  scored  as  “Performed”  when  the  question  is  answered  with  a 
“Yes.” 

•  A  MIL  question  is  scored  as  “Not  Performed”  when  the  question  is  answered 
with  an  “Incomplete”  or  a  “No.” 
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Report  Example 


Detail  and  Options 


Goa.1  2  —  Assets  are  inx'entorieclr  and  autliorlry  and  responsiliiliry  for  these  assets  is  established. 


1. 

Are  the  assets  that  directly  support  the  critical  service  inventoried?  [ADMrSGl.SPl)  | 

ln<x>mpl«lie 

People  1 
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Ye*. 
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2. 

Do  asset  descriptions  include  protection  and  sustainment  requirements? 

[ADMrSGl.SP2] 

Irwnomplcrtje  1 

Yes 

People  1 
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Technology  | 

FacOities  | 

3. 

Are  both  owners  and  custodians  of  assets  documented  in  asset  descriptions? 
[ADM:SG1.SP3] 

People  1 

Information  | 

Technology  | 

FacOities  | 

4. 

Are  the  ph3rsical  locations  of  assets  (both  within  and  outside  the  organization) 
documented  in  the  asset  inventory?  [ADM:SG1.SP3) 

People  1 

Information  { 

T  echnology 

Facilities 

Ye*. 

Option for  Consideration: 


Q1  CERT-RMM  Reference 

[AI>M:SGX.SPX]  Identify  and  inventory  high* value  assets.  An  organization  must  he  able  to  identify 
its  high*value  assets,  document  them,  and  establish  their  value  in  order  to  develop  strategies  for 
protecting  and  sustaining  assets  commensurate  with  their  value  to  services. 

Additional  References 

Special  Pubhcatlon  800*18  Revision  1  *Guide  for  Developing  Security  Plans  for  Federal  Information 
_ Systems*,  Page  2-3 _ 

Q2  CERT*R>fM  Reference 

[ADM:SG1.SP2J  Update  the  asset  database  with  asset  profile  information.  All  information  relevant 
to  the  asset  (crollected  from  the  asset  profile)  should  be  crontalned  with  the  asset  in  its  entry  in  the 
asset  database.  Strategies  to  protect  and  sustain  an  asset  may  be  documented  as  part  of  the  asset 
profile. 
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Report  Example  -  Summary  Heat  Map 
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Report  Example  -  MIL  Scores 


Maturity  Indicator  Level  by  Domain 

Asset  Management 
Controls  Management 
Configuration  and  Change  Management 
Vulnerability  Management 
Incident  Management 
Service  Continuity  Management 
Risk  Management 

External  Dependencies  Management 
Training  and  Awareness 
Situational  Awareness 

0  12  3  4  5 

Maturity  Indicator  kcwl 

■  Your  Results  ■  All  Participants 
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Report  Example  -  Results  Compared 


Percentage 
"Yes”  Answers 
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•Your  ResuJts 
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Management  Management  and  Change  Management  Management  Continuity  Management  Dependencies  Awareness  Awareness 
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Questions? 
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Notices 


Copyright  2013  Carnegie  Mellon  University 

This  material  is  based  upon  work  funded  and  supported  by  the  Department  of  Defense  under  Contract  No.  FA8721-05- 
C-0003  with  Carnegie  Mellon  University  for  the  operation  of  the  Software  Engineering  Institute,  a  federally  funded 
research  and  development  center. 

Any  opinions,  findings  and  conclusions  or  recommendations  expressed  in  this  material  are  those  of  the  author(s)  and 
do  not  necessarily  reflect  the  views  of  the  United  States  Department  of  Defense. 

NO  WARRANTY.  THIS  CARNEGIE  MELLON  UNIVERSITY  AND  SOFTWARE  ENGINEERING  INSTITUTE 
MATERIAL  IS  FURNISHED  ON  AN  “AS-IS”  BASIS.  CARNEGIE  MELLON  UNIVERSITY  MAKES  NO  WARRANTIES 
OF  ANY  KIND,  EITHER  EXPRESSED  OR  IMPLIED,  AS  TO  ANY  MATTER  INCLUDING,  BUT  NOT  LIMITED  TO, 
WARRANTY  OF  FITNESS  FOR  PURPOSE  OR  MERCHANTABILITY,  EXCLUSIVITY,  OR  RESULTS  OBTAINED 
FROM  USE  OF  THE  MATERIAL.  CARNEGIE  MELLON  UNIVERSITY  DOES  NOT  MAKE  ANY  WARRANTY  OF  ANY 
KIND  WITH  RESPECT  TO  FREEDOM  FROM  PATENT,  TRADEMARK,  OR  COPYRIGHT  INFRINGEMENT. 

This  material  has  been  approved  for  public  release  and  unlimited  distribution. 

The  Government  of  the  United  States  has  a  royalty-free  government-purpose  license  to  use,  duplicate,  or  disclose  the 
work,  in  whole  or  in  part  and  in  any  manner,  and  to  have  or  permit  others  to  do  so,  for  government  purposes  pursuant 
to  the  copyright  license  under  the  clause  at  252.227-7013  and  252.227-7013  Alternate  I. 

This  material  may  be  reproduced  in  its  entirety,  without  modification,  and  freely  distributed  in  written  or  electronic  form 
without  requesting  formal  permission.  Permission  is  required  for  any  other  use.  Requests  for  permission  should  be 
directed  to  the  Software  Engineering  Institute  at  Dermission@sei.cmu.edu. 

Carnegie  Mellon®,  CERT®  are  registered  in  the  U.S.  Patent  and  Trademark  Office  by  Carnegie  Mellon  University. 
DM-0000506 
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SEI  Training 


Introduction  to  the  CERT  Resilience  Management  Model 

February  18  -  20,  2014  (SEI,  Arlington,  VA) 

June  17-19,  2014  (SEI,  Pittsburgh,  PA) 

See  Materials  Widget  for  course  document 
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